How cyber security impacts business decision making

Do you know what a cyber security strategy is? Do you think a cyber security strategy is imperative for the protection of your business, your staff, your suppliers, your customers, or your future growth plans? If you have a security strategy, do you currently know how this is linked to your IT strategy, your business mission, objectives, and goals? Or even how it could impact new revenue generation? 

Unfortunately, many IT and cyber security professionals struggle to communicate these topics effectively to business decision makers, instead of focusing on extra tooling that ultimately often has limited return on investment past a certain point. Without a coherent strategy in place, many organisations are throwing money left and right at solutions, products, and services that do not effectively address risk. Only business decision makers and internal influencers have the power to make order out of the chaos, but all too often they do not know where to start, how to ask for help, or get frustrated with suppliers taking advantage by hard selling products and services. 

Occasionally, a vendor will speak to me about a product or service we often already have an equivalent of, or that doesn’t fill a gap in my security and has a negative return on investment. I do not get any value from that approach and likely neither does anyone reading this article. So today I want to talk about strategy and why this matters most.  

A cyber security strategy needs four components to succeed: 

• To have clear and realistic short-term and long-term goals. 
• Clear links as to why the strategy helps your organisation achieve its mission, objectives, and goals. 
• Alignment with your IT strategy. 
• Targets your cyber kill chains. 

A cyber kill chain is each stage of an attack starting at reconnaissance right through to successful completion of goals. By layering your defences that disrupt your most prevalent kill chain threats you will have the greatest success reducing the likelihood and impact of an incident.  

To build a strategy on your cyber kill chains you need to have a deep understanding of the systems you use and how they fit into your organisations infrastructure and the people who use them. Although many industries face common threats, be they internal or external, intentional or accidental it helps to also have an understanding of the threats specific to your unique environment.  

When we see the reporting of incidents, we often only see the financial cost, and although often running into the millions the tangible impact is far greater. An example scenario many fear is a similar issue to the cyber-attack on Copeland Borough Council in 2017. 

Cyber-attack on Copeland Borough Council 

In August 2017, Copeland Borough Council was hit with a zero-day ransomware attack. A zero-day attack is an attack that exploits a newly discovered vulnerability, and a patch has yet to be created. These vulnerabilities are often the ones IT and security teams fear the most given the risks associated and once a patch has been released, they often still leave the underlying vulnerability exploitable or cause more havoc with the patches breaking system integrity. 

In this case, the attackers picked a bank holiday weekend to maximise the impact they could cause before being detected. 

Source: ukauthority.com 

At a basic level, the impact of this attack effectively meant the council was reduced to pen and paper for weeks, unable to deliver key services the people of Copeland relied upon, with the greatest impact being felt by the most vulnerable constituents. This additionally meant 300 council staff, and countless suppliers and partners went unpaid for weeks and all the emotional distress this caused. 

In 2019, 2 years after the attack, Copeland Borough Council was still recovering, citing that they were still struggling financially given to the £2M recovery cost coming out of a £9m operational budget. Additionally, years of work had been destroyed and records permanently lost, and as you can expect, this had a huge impact on staff morale.  

Because of this incident and many others like it, the UK government has announced an extra £37.8M of funding dedicated to improving local authority cyber resilience. 

It’s easy to judge an incident after the fact but having the foresight to implement an effective security strategy in advance could have prevented such an event from happening at all or at least limited the impact to a manageable level that did not impact future planning. Attacks like these leave very real and long-term scarring for any organisation and force organisations into survival mode for many years to come.   

The reality is most business owners and C-suite are constantly being asked for extra spending or have enrooted spending without re-evaluating the return on investment. A cyber security strategy’s primary output needs to be its ability to effectively disrupt your cyber kill chains and to be as resilient as possible for when your controls fail. This ultimately requires an in-depth knowledge of your critical processes and to have ownership and accountability of the services that support them. This might sound complex and resource intensive but honestly, it’s not and is what we at TSG do well.  

How can I stop my business from a cyberattack? 

The truth is, there will always be relentless and sophisticated cyber thieves who will never stop exploiting new vulnerabilities or your staff. The simplest and best strategy for most is to simply do the basics incredibly well by: 

• Actively discovering, documenting, understanding, and managing your risks. 
• Implementing multi-factor authentication on all systems. 
• Seeking out and managing your vulnerabilities. 
• Patching your systems, focusing on those that have access to the internet. 
• Backup your data
• Provide cyber training for your staff, making sure your system owners and data owners are cyber aware. 

It’s crucial to educate yourself and your employees on cyber security 

Even if you believe that your employees’ knowledge is up to scratch, it only takes one successful phishing attempt to trick them into revealing sensitive company information or access that could send your company into disaster recovery mode.  

At TSG, we not only provide cyber security awareness training for your employees, but we will put them to the test to see how well they’re retaining this knowledge and help to spot any employees who may have gaps in that knowledge that need addressing. 

How to support your internal IT team 

One of the best ways you can support your IT team is to give them the necessary resources and support to help prevent these attacks. No matter how large or small that team is, you need to ensure that these attacks are as preventable as feasible as a penny of prevention is worth a pound of cure when it’s supported by a cyber security strategy.  

Securing a cyber security technology partner like us at TSG can be an ideal solution as we have a plethora of powerful tools at our disposal and highly skilled specialist cyber security staff to help support IT teams that otherwise would not have access to such tools and knowledge.  

Download our cyber security brochure 

Every organisation has different needs, concerns, and things that make them unique so if you want to go beyond the above and be part of the responsible supply chain then come and have a talk with us, your IT teams, or even your current IT providers. We work with you to understand what security strategy is right for your organisation, that will protect you, your business, your people, and your customers delivering value and ensuring you can plan and build for the future with confidence. 

Download our brochure to learn more about how we can help you with your cyber security.